Skip to content

Add a diki-run Job deployment to the ComplianceScan reconciler#48

Open
georgibaltiev wants to merge 1 commit intogardener:mainfrom
georgibaltiev:add/diki-runner-job
Open

Add a diki-run Job deployment to the ComplianceScan reconciler#48
georgibaltiev wants to merge 1 commit intogardener:mainfrom
georgibaltiev:add/diki-runner-job

Conversation

@georgibaltiev
Copy link
Copy Markdown
Contributor

@georgibaltiev georgibaltiev commented Apr 16, 2026

How to categorize this PR?

/area usability
/kind enhancement

What this PR does / why we need it:
This PR refactors the reconciliation method for the ComplianceScan CRD within the diki-operator, by deploying a diki-run Job that performs the scan. The Job's completion/failure patches the ComplianceScan's Status.

Which issue(s) this PR fixes:
Part of #3

Special notes for your reviewer:

Release note:

The operator now deploys a Job that performs the diki scan on the creation of a ComplianceScan resource.

@gardener-prow gardener-prow Bot added the kind/enhancement Enhancement, improvement, extension label Apr 16, 2026
@gardener-prow
Copy link
Copy Markdown

gardener-prow Bot commented Apr 16, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign aleksandarsavchev for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow
Copy link
Copy Markdown

gardener-prow Bot commented Apr 16, 2026

@georgibaltiev: The label(s) area/productivity cannot be applied, because the repository doesn't have them.

Details

In response to this:

How to categorize this PR?

/area productivity
/kind enhancement

What this PR does / why we need it:

Which issue(s) this PR fixes:
Part of #3

Special notes for your reviewer:

Release note:


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@CLAassistant
Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


Gardener seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@gardener-prow gardener-prow Bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cla: no Indicates the PR's author has not signed the cla-assistant.io CLA. labels Apr 16, 2026
@dimityrmirchev
Copy link
Copy Markdown
Member

/cla

@gardener-prow
Copy link
Copy Markdown

gardener-prow Bot commented Apr 17, 2026

Successfully reached out to cla-assistant.io to initialize recheck of PR #48

Copy link
Copy Markdown
Member

@AleksandarSavchev AleksandarSavchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I have added some initial comments

resources:
- configmaps
verbs:
- create No newline at end of file
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- create
verbs:
- create

subjects:
- kind: ServiceAccount
name: diki-run
namespace: {{ .Release.Namespace }} No newline at end of file
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
namespace: {{ .Release.Namespace }}
name: diki-run
namespace: {{ .Release.Namespace }}

name: diki-run
namespace: {{ .Release.Namespace }}
labels:
{{ include "labels" . | indent 4 }} No newline at end of file
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{{ include "labels" . | indent 4 }}
labels:
{{ include "labels" . | indent 4 }}

LabelValueDikiOperator = "diki-operator"

// ConfigMapGenerateNamePrefix is the prefix for diki config ConfigMap names.
ConfigMapGenerateNamePrefix = "diki-config-"
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ConfigMapNamePrefix = "diki-config-"

We no longer use GenerateName. This name can be changed.

return reconcile.Result{}, nil
}

if complianceScan.Status.Phase == v1alpha1.ComplianceScanRunning {
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the deployResources we firstly set the phase to Running. It is possible that the deploy fails after setting to Running phase but before we upscale the `Job

}

// DeployDikiRunJob creates a Kubernetes Job that runs the diki compliance scan.
func (r *Reconciler) deployDikiRunJob(ctx context.Context, complianceScan *v1alpha1.ComplianceScan, dikiConfigMapName string) (*batchv1.Job, error) {
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be best this method to be in a separate file in this package named dikirun.go


job := &batchv1.Job{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "diki-run-",
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
GenerateName: "diki-run-",
Name: "diki-run-" + complianceScan.UID,

It would be best to use the same name format here as well. That way we can also find the job by its name. diki-run- can also be stored in a const

},
VolumeMounts: []corev1.VolumeMount{
{
Name: "diki-config",
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Store diki-config in const

Comment thread ~/Documents/productivity/gh/config.yml Outdated
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unintended file?

Comment thread ~/Documents/productivity/gh/hosts.yml Outdated
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unintended file?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cla: no Indicates the PR's author has not signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants